Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method of granting an aligned secured access to a system resource for a client system during a session having a predefined session time, the method comprising: receiving, from the client system, a first authentication token comprising an authorization for accessing the system resource and comprising the predefined session time, the authorization for accessing the system resource being generated by a first server, and the first authentication token originating from the first server based on an authentication between the client system and the first server, wherein the receiving is by a second server that provides access to the system resource, wherein the predefined session time comprises a preset duration of time for the session, the session to be established between the client system and the second server for accessing the system resource, and wherein a first validity time period value related to the first authentication token defines a time period during which the first authentication token is valid; and based on receiving the first authentication token, sending, to the client system, by the second server, a second authentication token for a second validity period during which the second authentication token is valid, such that an aligned secured access is granted for the client system to the system resource, wherein a second validity time period value of the second validity period of the second authentication token for a service provided by the second server to the client system defines the time period during which the second authentication token is valid and is set equal to said predefined session time received as part of the first authentication token from the client system, thereby making the time period during which the second authentication token is valid correspond to the preset duration of time, which is indicated by the predefined session time in the first authentication token, for the session between the client system and the second server for accessing the system resource.
This invention relates to secure access control for system resources in a distributed computing environment. The problem addressed is ensuring aligned and time-bound access permissions between multiple servers during a client session, preventing mismatched validity periods that could lead to unauthorized access or premature session termination. The method involves a client system interacting with two servers: a first server that authenticates the client and generates an initial authentication token, and a second server that controls access to the desired system resource. The first authentication token includes an authorization for resource access and a predefined session time, which specifies the duration for which the session between the client and the second server should remain valid. The first token's validity period is determined by a first validity time period value. Upon receiving the first token, the second server validates it and issues a second authentication token to the client. This second token has a second validity period, which is set equal to the predefined session time from the first token. This ensures the second token's validity period matches the intended session duration, creating an aligned secured access period for the client to the system resource. The second server's service to the client is thus governed by this synchronized validity period, preventing access discrepancies between the two servers. This approach enhances security by maintaining consistent session time boundaries across distributed authentication and resource access systems.
2. The method of claim 1 , wherein the method further comprises: initially receiving a request from the client system to access the system resource; based on receiving the request from the client system, redirecting the client system to the first server for authentication and authorization for accessing the system resource; and receiving from the client system, based on the redirecting, the first authentication token comprising the authorization for accessing the system resource.
This invention relates to a method for secure access control in a distributed system, addressing the challenge of efficiently authenticating and authorizing client systems before granting access to protected system resources. The method involves an initial request from a client system to access a system resource. Upon receiving this request, the client system is redirected to a first server responsible for authentication and authorization. The first server verifies the client's credentials and, if successful, generates a first authentication token that includes the necessary authorization for accessing the requested system resource. This token is then received back from the client system, completing the authentication and authorization process. The method ensures that only properly authenticated and authorized clients can access the system resource, enhancing security in distributed environments. The invention may be part of a broader system that includes multiple servers and clients, where the first server acts as an authentication gateway before resource access is permitted. The approach streamlines the authentication flow by centralizing authorization checks at the first server, reducing the need for repeated credential verification.
3. The method of claim 1 , wherein the second server has stored a default session time for new sessions with client devices, and wherein the second validity time period value for the session between the client system and the second server is set as the predefined session time, in lieu of the default session time, based on the second server receiving the predefined session time as part of the first authentication token from the client device.
This invention relates to session management in client-server systems, specifically addressing the challenge of dynamically setting session time periods based on authentication tokens. In conventional systems, servers often use a default session time for new client sessions, which may not be optimal for all use cases. The invention improves upon this by allowing a second server to receive a predefined session time from a client device as part of an authentication token. When the second server receives this token, it overrides its default session time and instead uses the predefined session time for the session between the client and the server. This enables more flexible and customized session management, where session durations can be tailored to specific requirements rather than relying on a fixed default value. The predefined session time is transmitted securely as part of the authentication token, ensuring that the session duration is set according to the intended parameters without manual intervention. This approach enhances security and efficiency by aligning session timeouts with predefined policies or user-specific needs.
4. The method of claim 1 , wherein the authorization for accessing the system resource is generated by the first server based on a timestamp and a private key of the first server or a destination identifier of the second server, and wherein the second sever has stored a public key related to the private key of the first server.
This invention relates to secure access control for system resources in a distributed computing environment. The problem addressed is ensuring secure and authenticated access to system resources between servers while preventing unauthorized access or tampering. The method involves a first server generating authorization credentials for accessing a system resource, which are then validated by a second server. The authorization is created using a timestamp and either a private key of the first server or a destination identifier of the second server. The second server, which stores a corresponding public key related to the first server's private key, uses this public key to verify the authorization's authenticity and integrity. The timestamp ensures the authorization is time-bound, preventing replay attacks. The use of cryptographic keys ensures that only authorized servers can generate and validate the authorization, while the destination identifier provides an additional layer of specificity for access control. This approach enhances security by leveraging asymmetric cryptography and temporal constraints to authenticate and authorize resource access in a distributed system.
5. The method of claim 1 , wherein the second server grants access to the system resource using the first authentication token.
A system and method for secure access control in a distributed computing environment involves multiple servers managing authentication and resource access. The system includes a first server that generates a first authentication token for a client device after verifying the client's identity. This token is then used to request access to a system resource managed by a second server. The second server, upon receiving the request, validates the first authentication token and grants access to the requested resource if the token is valid. The authentication token may include encrypted data, such as a user identifier, a timestamp, or a digital signature, to ensure secure and authorized access. The system ensures that only authenticated clients can access protected resources, preventing unauthorized access while maintaining efficient communication between servers. The method may also include additional security measures, such as token expiration or revocation, to further enhance security. This approach is particularly useful in cloud computing, enterprise networks, or any environment where secure resource access is required across multiple servers.
6. The method of claim 1 , wherein a plurality of second validity time period values are used by the second server, each one related to one of a plurality of first authentication tokens received.
This invention relates to authentication systems, specifically improving security and efficiency in token-based authentication processes. The problem addressed is the need for dynamic and scalable validation of authentication tokens across multiple servers, ensuring secure access while minimizing computational overhead. The system involves at least two servers: a first server that generates authentication tokens and a second server that validates them. The first server issues multiple first authentication tokens, each associated with a unique first validity time period. The second server receives these tokens and uses corresponding second validity time period values for validation. Each second validity time period is tied to a specific first authentication token, allowing for customized expiration times based on factors like token type, user role, or security policies. The second server validates tokens by comparing the current time against the second validity time period associated with each token. If the current time falls within the period, access is granted; otherwise, the token is rejected. This approach enables granular control over token lifetimes, enhancing security by preventing prolonged access with expired or compromised tokens. The system also supports scalability, as the second server can handle multiple tokens with different validity periods simultaneously. This method is particularly useful in distributed systems where authentication tokens are frequently generated and validated across multiple servers.
7. The method of claim 1 , wherein the first validity time period value of the first authentication token is smaller than the second validity period value of the second authentication token.
This invention relates to authentication systems that use multiple authentication tokens with different validity periods. The problem addressed is ensuring secure access control by managing token lifetimes to balance security and usability. The system generates a first authentication token with a shorter validity period and a second authentication token with a longer validity period. The shorter validity period of the first token reduces the risk of unauthorized access if the token is compromised, while the longer validity period of the second token provides extended access for legitimate users. The tokens are issued to a user device, which uses them to authenticate with a server. The server verifies the tokens and grants access based on their validity. The shorter validity period of the first token ensures that any potential misuse is limited in duration, while the longer validity period of the second token allows for uninterrupted access for authorized users. This approach enhances security by minimizing exposure time for sensitive operations while maintaining usability for routine access. The system may also include mechanisms to refresh or revoke tokens as needed to further improve security.
8. The method of claim 1 , wherein the predefined session time is different for different users of the client system.
A system and method for managing user sessions in a client-server environment addresses the challenge of balancing security and user experience by dynamically adjusting session durations based on user behavior and risk factors. The method involves monitoring user activity during a session and terminating the session if no activity is detected for a predefined session time. This predefined session time is not uniform for all users but varies depending on individual user profiles, historical behavior, or risk assessments. For example, a user with a history of secure behavior may have a longer predefined session time, while a user exhibiting suspicious activity may have a shorter session timeout. The system may also adjust the predefined session time in real-time based on current risk indicators, such as login location, device type, or network conditions. By customizing session durations, the system enhances security without unnecessarily disrupting legitimate users. The method ensures that inactive sessions are terminated promptly to prevent unauthorized access while allowing active users to maintain uninterrupted access. This approach improves both security and user satisfaction by tailoring session management to individual risk profiles.
9. A computer system for granting an aligned secured access to a system resource for a client system during a session having a predefined session time, the computer system comprising: a memory; and a processor in communication with the memory, wherein the computer system is configured to perform a method, the method comprising: receiving, from the client system, a first authentication token comprising an authorization for accessing the system resource and comprising the predefined session time, the authorization for accessing the system resource being generated by a first server, and the first authentication token originating from the first server based on an authentication between the client system and the first server, wherein the receiving is by a second server that provides access to the system resource, wherein the predefined session time comprises a preset duration of time for the session, the session to be established between the client system and the second server for accessing the system resource, and wherein a first validity time period value related to the first authentication token defines a time period during which the first authentication token is valid; and based on receiving the first authentication token, sending, to the client system, by the second server, a second authentication token for a second validity period during which the second authentication token is valid, such that an aligned secured access is granted for the client system to the system resource, wherein a second validity time period value of the second validity period of the second authentication token for a service provided by the second server to the client system defines the time period during which the second authentication token is valid and is set equal to said predefined session time received as part of the first authentication token from the client system, thereby making the time period during which the second authentication token is valid correspond to the preset duration of time, which is indicated by the predefined session time in the first authentication token, for the session between the client system and the second server for accessing the system resource.
This invention relates to secure access control systems for managing client-server interactions. The problem addressed is ensuring synchronized and time-aligned authentication between multiple servers during a session with a predefined duration. The system involves a client system, a first server that authenticates the client and issues an initial authentication token, and a second server that provides access to a system resource. The first authentication token includes authorization for accessing the resource and a predefined session time, which specifies the duration of the session between the client and the second server. The second server receives this token and, in response, issues a second authentication token with a validity period matching the predefined session time. This alignment ensures the second token's validity corresponds exactly to the session duration, maintaining secure and time-bound access to the resource. The system dynamically synchronizes token lifetimes across servers, preventing unauthorized access beyond the intended session duration. The solution enhances security by ensuring tokens expire at the same time as the session, reducing exposure to potential breaches.
10. The computer system of claim 9 , wherein the method further comprises: initially receiving a request from the client system to access the system resource; based on receiving the request from the client system, redirecting the client system to the first server for authentication and authorization for accessing the system resource; and receiving from the client system, based on the redirecting, the first authentication token comprising the authorization for accessing the system resource.
This invention relates to a computer system for managing secure access to system resources, particularly in environments where authentication and authorization are handled by separate servers. The problem addressed is the need for efficient and secure resource access control in distributed systems, where authentication and authorization processes are often decoupled. The system includes a client system, a first server for authentication and authorization, and a second server for managing access to the system resource. The process begins when the client system sends a request to access the system resource. Upon receiving this request, the system redirects the client to the first server, which handles authentication and authorization. The first server generates an authentication token containing the necessary authorization for accessing the system resource. The client system then receives this token and presents it to the second server, which verifies the token and grants access to the system resource if the token is valid. This approach ensures that authentication and authorization are centralized and managed securely, reducing the risk of unauthorized access while maintaining efficiency in resource access control. The system is particularly useful in cloud computing, enterprise networks, and other distributed environments where secure resource access is critical.
11. The computer system of claim 9 , wherein the second server has stored a default session time for new sessions with client devices, and wherein the second validity time period value for the session between the client system and the second server is set as the predefined session time, in lieu of the default session time, based on the second server receiving the predefined session time as part of the first authentication token from the client device.
This invention relates to a computer system for managing session authentication between a client device and a server. The system addresses the problem of inefficient session time management, where servers typically use a default session time for new client connections, which may not be optimal for all use cases. The invention improves upon this by allowing a client device to specify a predefined session time, which the server then uses in place of its default session time for the session. The system includes a client device, a first server, and a second server. The client device initiates a session with the second server by sending an authentication request that includes a first authentication token. This token contains a predefined session time value, which the second server receives and uses to set the session's validity time period. Instead of applying its own default session time, the second server overrides it with the predefined session time from the token. This allows for more flexible and customized session management, ensuring that the session duration aligns with the client's requirements rather than the server's default settings. The first server may also be involved in generating or validating the authentication token before it is sent to the second server. This approach enhances security and efficiency by enabling dynamic session time adjustments based on client-specific needs.
12. The computer system of claim 9 , wherein the authorization for accessing the system resource is generated by the first server based on a timestamp and a private key of the first server or a destination identifier of the second server, and wherein the second sever has stored a public key related to the private key of the first server.
This invention relates to secure access control in distributed computing systems, specifically addressing challenges in verifying authorization for accessing system resources between servers. The system involves at least two servers—a first server managing access control and a second server requesting access to a protected resource. The first server generates an authorization token for the second server to access the resource, ensuring secure and verifiable authentication. The authorization token is created using a timestamp and either a private key of the first server or a destination identifier of the second server. The timestamp ensures the token is time-bound, preventing replay attacks. The private key or destination identifier ensures the token is uniquely tied to the first server or the second server, respectively. The second server, which has stored the corresponding public key of the first server, can verify the token's authenticity and integrity using the public key. This cryptographic approach ensures that only authorized requests are processed, mitigating unauthorized access risks. The system enhances security by leveraging asymmetric cryptography, where the first server's private key signs the token, and the second server uses the public key to validate it. This method ensures non-repudiation and tamper-proof authorization, critical for secure inter-server communication in distributed environments. The use of a destination identifier as an alternative to the private key provides flexibility in token generation while maintaining security. This approach is particularly useful in cloud computing, microservices architectures, and other distributed systems where secure resource access is essential.
13. The computer system of claim 9 , wherein the second server grants access to the system resource using the first authentication token.
A computer system is designed to manage secure access to system resources across multiple servers. The system includes a first server that generates a first authentication token for a user, where this token is used to authenticate the user for accessing system resources. The system also includes a second server that receives a request from the user to access a system resource. The second server verifies the first authentication token and, if valid, grants access to the requested system resource. This approach allows for centralized authentication while enabling distributed resource access, improving security and efficiency in multi-server environments. The system ensures that authentication tokens issued by one server are recognized and trusted by other servers, reducing the need for redundant authentication steps. This is particularly useful in cloud computing, enterprise networks, or any environment where multiple servers must securely share access to resources. The system may also include additional security measures, such as token expiration or revocation, to further enhance protection.
14. The computer system of claim 9 , wherein the first validity time period value of the first authentication token is smaller than the second validity period value of the second authentication token.
This invention relates to a computer system for managing authentication tokens with different validity periods. The system addresses the challenge of balancing security and usability in authentication processes by dynamically assigning varying validity times to different authentication tokens based on their intended use or risk level. The system includes a token generation module that creates at least two authentication tokens, each with distinct validity periods. The first token has a shorter validity time period compared to the second token, allowing for stricter security controls when needed. The system also includes a token validation module that verifies the authenticity and validity of the tokens before granting access to a user. The token generation module may assign the validity periods based on predefined rules, user roles, or contextual factors such as the sensitivity of the requested resource. The system ensures that higher-risk operations or sensitive data access require tokens with shorter validity, reducing the window of opportunity for unauthorized use. This approach enhances security without compromising user experience for lower-risk operations. The invention is particularly useful in environments where different levels of access require varying degrees of security assurance.
15. A computer program product for granting an aligned secured access to a system resource for a client system during a session having a predefined session time, the computer program product comprising: a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising: receiving, from the client system, a first authentication token comprising an authorization for accessing the system resource and comprising the predefined session time, the authorization for accessing the system resource being generated by a first server, and the first authentication token originating from the first server based on an authentication between the client system and the first server, wherein the receiving is by a second server that provides access to the system resource, wherein the predefined session time comprises a preset duration of time for the session, the session to be established between the client system and the second server for accessing the system resource, and wherein a first validity time period value related to the first authentication token defines a time period during which the first authentication token is valid; and based on receiving the first authentication token, sending, to the client system, by the second server, a second authentication token for a second validity period during which the second authentication token is valid, such that an aligned secured access is granted for the client system to the system resource, wherein a second validity time period value of the second validity period of the second authentication token for a service provided by the second server to the client system defines the time period during which the second authentication token is valid and is set equal to said predefined session time received as part of the first authentication token from the client system, thereby making the time period during which the second authentication token is valid correspond to the preset duration of time, which is indicated by the predefined session time in the first authentication token, for the session between the client system and the second server for accessing the system resource.
This invention relates to secure access control for system resources in a distributed computing environment. The problem addressed is ensuring aligned and time-bound access to system resources during a session between a client system and a server, where the session duration is predefined and synchronized across authentication tokens. The system involves a client system, a first server that generates authentication tokens, and a second server that controls access to a system resource. The first server authenticates the client system and issues a first authentication token containing an authorization for accessing the system resource and a predefined session time, which defines the duration of the session. The first authentication token is valid for a first validity time period. The second server, which manages access to the system resource, receives the first authentication token from the client system. In response, the second server generates and sends a second authentication token to the client system. The second token has a second validity period that matches the predefined session time from the first token, ensuring the session duration is consistent between both servers. This alignment ensures the client system has secure access to the system resource for the exact predefined session duration, enhancing security and session management.
16. The computer program product of claim 15 , wherein the method further comprises: initially receiving a request from the client system to access the system resource; based on receiving the request from the client system, redirecting the client system to the first server for authentication and authorization for accessing the system resource; and receiving from the client system, based on the redirecting, the first authentication token comprising the authorization for accessing the system resource.
This invention relates to a computer program product for managing access to system resources in a distributed computing environment. The problem addressed is the need for secure and efficient authentication and authorization when a client system requests access to a protected resource. The solution involves a multi-step process to ensure proper access control. The system includes a client system, a first server for authentication and authorization, and a second server for managing access to the system resource. Initially, the client system sends a request to access the system resource. Upon receiving this request, the system redirects the client to the first server, which handles authentication and authorization. The first server verifies the client's credentials and, if successful, generates an authentication token that includes the necessary authorization for accessing the system resource. This token is then sent back to the client system, which presents it to the second server to gain access to the requested resource. The second server validates the token before granting access, ensuring that only properly authenticated and authorized clients can interact with the system resource. This approach enhances security by centralizing authentication and authorization processes while maintaining efficient access control.
17. The computer program product of claim 15 , wherein the second server has stored a default session time for new sessions with client devices, and wherein the second validity time period value for the session between the client system and the second server is set as the predefined session time, in lieu of the default session time, based on the second server receiving the predefined session time as part of the first authentication token from the client device.
This invention relates to session management in distributed computing systems, specifically addressing the challenge of dynamically setting session timeouts based on client-provided parameters. In such systems, servers typically enforce default session timeouts for security or performance reasons, but these fixed values may not always align with client requirements or usage patterns. The invention improves upon this by allowing a client device to influence the session timeout duration on a server by transmitting a predefined session time as part of an authentication token during the initial connection. The server, upon receiving this token, overrides its default session timeout and instead applies the client-specified value for the duration of the session. This approach enables more flexible session management, accommodating varying client needs while maintaining server control over session parameters. The system involves a client device generating an authentication token containing the predefined session time, transmitting it to a server, and the server parsing the token to extract and apply the specified timeout value. This method ensures that session durations are dynamically adjusted based on client input, improving user experience and system adaptability without compromising security.
18. The computer program product of claim 15 , wherein the authorization for accessing the system resource is generated by the first server based on a timestamp and a private key of the first server or a destination identifier of the second server, and wherein the second sever has stored a public key related to the private key of the first server.
This computer program uses timestamps and a secret key (or destination info) from the first server to create a secure access pass. The second server verifies this pass using a publicly available key that corresponds to the first server's secret key.
Unknown
April 14, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.